Blog

Jul 07

Private Key for Original Petya Ransomware Released

Good news for some ransomware victims: The master key used to encrypt the original versions of Petya ransomware has been released. As a result, says the independent Polish information security researcher known as Hasherezade, security researchers can use it to build free decryptors for any victims who still have crypto-locked hard drives.

The bad news, however, is that the private key only works on the original versions of Petya. It cannot be used to decrypt PCs that were affected by the outbreak of Petya-like, crypto-locking malware that began June 27.

Security researchers have been variously referring to that malware as NotPetya, SortaPetya, Nyetya, ExPetr, Diskcoder.C and EternalPetya, among many other names. While it initially appeared to be Petya, upon closer inspection, security researchers say it only uses some Petya components. They have concluded that while the malware shares some similarities with Petya, many aspects of it are different.

The First Petya

The original Petya first appeared in 2016 as an innovative ransomware-as-a-service offering.

Petya introduced full-disk encryption - not just encrypting files - by encrypting the file system table, thus disabling a victim's ability to even boot their PC. Petya was also the first strain to begin doubling the ransom demand - in its case, after seven days - for non-payers, according to California-based security firm McAfee.

Later, "green" versions of Petya included a malicious payload called Mischa. Like Petya, Mischa is the name of a satellite in the James Bond movie "GoldenEye."

The developer - or group - behind Petya, Janus Secretary, released multiple versions of the malware, in part, because the security researcher known as leo_and_stone defeated the crypto in the first "red" version.

Hasherezade then discovered errors in how the second, "green" version implemented the Salsa cryptographic algorithm, allowing her to brute-force decrypt the master key, although doing so required about three days of processing.

Eventually, however, the developer - or developers - fixed their crypto implementation flaws, making their key - and thus the crypto used on PCs infected with the ransomware - impossible to crack.

Janus Resurfaces

But Janus Secretary resurfaced on June 28, the day after the NotPetya outbreak, to claim that it had nothing to do with NotPetya. Giving a shoutout to Hasherezade, Janus said it was testing whether the private key created for Petya - the original version - could be used to unlock NotPetya.

On Wednesday, Janus tweeted a link to a 256-byte file posted to the Mega file-hosting service, together with a clue - "They're right in front of you and can open very large doors" - and link to a "GoldenEye" clip.

"The linked file was encrypted and password protected," hasherezade says in a Wednesday blog post on the site of California-based security firm Malwarebytes. But she successfully guessed it - based on the clue - and recovered Janus's private key.

That master Salsa key can now be used to create a decryptor for any files that were crypto-locked by Petya, as confirmed by Anton Ivanov, a security researcher at Moscow-based anti-virus firm Kaspersky Lab, who has long tracked Petya.

"This key cannot help in case of EternalPetya, since, in this particular case, the Salsa keys are not encrypted with Janus' public key, but, instead of this, erased and lost forever," Hasherazade says. "It can only help the people who were attacked by Petya/Goldeneye in the past."

Samaritan Update

This isn't the first time Janus appears to have turned cybercrime Samaritan. Last July, it dumped 3,500 crypto keys stolen from developers behind the rival Chimera ransomware project.

Hasherezade wrote in August 2016 that the keys checked out. "Probably most of the infected people already deleted their encrypted files," she wrote, but added that anyone who still had such files could contact MalwareBytes to get a working decryption key. Meanwhile, Kaspersky Lab added Chimera decryption to one of the free decryption tools it distributes via the No More Ransom portal.

This also isn't the first case of ransomware operators releasing a key that victims can use to unlock their PCs. In May 2016, researchers at Slovakian security firm ESET reported that after they reached out to the customer support channel operated by the gang behind TelsaCrypt ransomware, someone associated with that group released the master key for the malware online. Cue free decryption tools.

NotPetya: Ransomware or Disk Wiper?

But how did Petya code end up in NotPetya? So far, that's not clear, but it's the second time that the code appears to have been reused or pirated.

In March Kaspersky Lab said it found reused Petya code in a new ransomware-as-a-service offering called PetrWrap that apparently hadn't been authorized by Janus.

On June 27, meanwhile, some reused Petya code appeared as part of NotPetya, which purports to be ransomware.

But mistakes - intentional or not - in the NotPetya code mean that many systems that were crypto-locked by NotPetya will never be able to be decrypted (see Latest Ransomware Wave Never Intended to Make Money).

Just to make things more confusing, the NotPetya attackers have appeared online and decrypted at least one crypto-locked file to prove their identity. But many security experts suspect that the entire operation was a disk-wiping attack against Ukraine, disguised as ransomware. And they believe that the attackers, who have offered to sell the private key for 100 bitcoins - currently worth $256,000 - are just trolling journalists and victims.

Security researchers at Helsinki-based security firm F-Secure, as well as U.K.-based researcher Marcus Hutchins, aka MalwareTech, say that, in theory, many victims could recover some files if the NotPetya private key was ever released.

One exception, however, is for any victims who were using anti-virus software from Kaspersky Lab, against which attackers appeared to have a "vendetta," Andy Patel, a security researcher at F-Secure, says in a blog post. "If this malware finds running Kaspersky processes on the system, it writes junk to the first 10 sectors of the disk, and then reboots, bricking the machine completely."

NotPetya Investigation Continues

NotPetya was distributed through at least three backdoors added to accounting and bookkeeping software called M.E. Doc, developed by Kiev-based Intellect Service, which were automatically pushed to users. Attackers then remotely accessed those backdoors to infect systems with three or more different types of malware in recent months (see NotPetya Patient Zero: Ukrainian Accounting Software Vendor).

Ukrainian police stormed the offices of Intellect Service this week to seize those servers, saying that it had detected an unfolding attempt to yet again distribute backdoored M.E. software via the firm's servers to its 400,000 users (see Police Seize Backdoored Firm's Servers to Stop Attacks).